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(54) Method and apparatus for firmware authentication 



(57) An apparatus for firmware authentication and 
methods of c^erating the same result in software up- 
gradabifity to firmware without compromising the integ- 
rity of the firmware. The apparatus for fimiware authen- 
tication of a boot PROM comprises a software program- 



mable data section having a plurality of micro-code. An 
authentication section having a hash generator config- 
ured to generate a data hash in response to the plurality 
of micro-code programmed in the software programma- 
ble data section to authorize execution of the plurality 
of micro-code of the data section. 
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D scription 

The present invention relates to authentication of 
firmware (for example, programmed microHxxie such 
as programmable micro-code written in a memory de- 
vice). 

Computer systems during initial power up rely on a 
sequence of instructional routines which buikJ on each 
previously executed instructional routine until the com- 
puter system is initialized. Micro-code, also referred to 
as firmware or boot code, is the first level of the instruc- 
tional routines that are executed when the computer 
system is initially powered up. The micro-code stored in 
non-volatile memory devices such as a memoiy IC (in- 
tegrated circuit) directs the computer system to certain 
boot blocks located on a disk drive. As these boot bkxks 
on the disk drive are executed, successively larger 
blocks of boot data are loaded until finally the operating 
system, such as an Unix or Microsoft Windows of the 
computer system is kiaded. 

The micro-code for the initial boot up instructions of 
a computer system is typically stored in a boot ROM 
(read only memory) or boot PROM (programmable read 
only memory). An example of a PROM is a flash PTOM. 
often referred to as flash memory. Needs arise when the 
micro-code for the initial boot up instructions requires 
updating. Those computer systems having ROMs re- 
quire new ROMs. Replacing oW ROMs with newly sup- 
plied ROMs is expensive. Furthermore, the computer 
system has to be disassembled to gain access to re- 
place the ROMs. 

In computer systems with boot PROMs that employ 
flash technotogy, updating new micro-code entails ac- 
cessing the flash PROM using software and program* 
ming the flash PROM with new micro-code. However, 
because the mfcro-code contained m the boot PROM is 
the first code that is executed, reasons to limit program- 
ming access to the flash PROM include: 1) inadvertent 
programming can cause the computer system become 
completely Inactive; 2) security sensitive environments 
require that the micro-code be tamper-proof to prevent 
security risks. Thus, safeguards are currently In place 
to prevent modification of the boot PROM. 

These safeguards include using boot ROMs to store 
the micro-code or setting hardwire jumpers that prevent 
software nxxlification off boot PROMs. In order to modify 
the mrcro-code. boot ROMs must be replaced with new 
boot ROMs containing the updated mfcro-code. In the 
case of boot PROMs, user intervention is required to 
manually switch the jumpers of the boot PROMs to en- 
able programming access to the boot PROMs for the 
new micro-code. In either case, user inten^ention is re- 
quired to physfcally open the computer system and 
make the necessary changes. The changes range from 
the replacement of old boot ROMs with new boot ROMs 
to changing jumper settings of the flash boot PROM to 
enable and disabi programming of the flash boot 
PROM. Thus, the safeguards require additional time 



and eflort from the users to implement modifications to 
the micro-code. The process of providing upgrades to 
the micro-code programming is cuotbersome and time- 
consuming. 

Therefore, it is desirable to provkie an apparatus for 
authenticating firmware programmed in a boot PROM 
and methods of operating the same that enable pro- 
gramming access to the boot PROM without compro- 
mising the authentrcity of the firmware that overcome 
the disadvantages of disassen:ibling the computer sys- 
tem. 

Vairfous respective aspects and features of the in- 
vention are defined in the appe(\6ed claims- 

The present invention provides an apparatus for 
firmware authenticatkxi and methods for operating the 
same which result in software upgradability to firmware 
without compromising the Integrity of the firmware. The 
novel application for authent cation of firmware Is t)ased 
on cryptography Thus, according to one aspect of the 
invention, a boot PROM (programmable readonly mem- 
ory) having programming instructions for initiating a 
computer system is provided. A software programmable 
data secton has a plurality of micro-code. An authenti- 
cation sectksn havinga hash generator generates a data 
hash in resp<xise to the plurality of micro-code pro- 
grammed in the software programmable data sectkxi to 
authorize execution of the plurality of micro-code of the 
data sectkxi. 

According to another aspect of the invention, the 
software programmable data section includes a prede- 
termined digital signature, and the authentk:atk3n sec- 
tion includes a predetermined public key and a decryp- 
tor whfch provkfes an V0rificatk>n hash in response to 
the predetermined sj^ature and the publk? key The au- 
35 thentfcatkjn sectk^n also includes a comparator whfch 
compares the data hash with the verifkation hash to au- 
thentk:ate the plurality of micro-code of the software pro- 
grammable data sectkxi. If the data hash and the veri- 
fication hash do not match, a message alerts the user 
of the mismatch indfcating that the micro-code \s not au- 
thenticated. 

According to another aspect of the invention, the 
authenticatksn sectk>n includes a plurality of trusted mi- 
cro-code whkJh initiates execution of the plurality of mi- 

^ cro-code of the software programmable data section in 
response to proper authentfcatkjn of the data hash. The 
proper authentication of the data hash by the authenti- 
cation section of the plurality of trusted microcode af- 
fords the plurality of micro-code programmed in the soft- 

50 ware programnnable data sectkxi to a level of trusted 
code. Thus, the trusted code of the software program- 
mable data section can be used to authenticate another 
set of downstream code that is executed during the boot 
up sequence for the computer system. 

»5 According to yet another aspect of the invention, the 
software programmable data sectfon includes a flash 
memory whk:h enables software reprogramming of the 
plurality of mk:ro-code. Other programmable storage 
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mediums are also usable for the storage of the micro- 
code. The authentication section includes a ROM (read 
only memory) that provides a base line for trusted code. 

An apparatus and method for firmware authentica- 
tion are provided by authenticating the software pro- 
grammable data section of the boot PROM with a trust- 
ed ROM section of the boot PROM. The ability to provide 
software programmability of the boot PROM affords 
ease in upgradability that saves time, effort, and energy. 
Upgrading with newer versions of the boot PROM af- 
fords support for new f unctfons and eliminates bugs and 
other inconsistencies that can plague older versions of 
the boot PROM. Thus, the newer boot PROMs provide 
for a smoother and more efficient operating computer 
system. 

The invention will now be described by way of ex- 
ample with reference to the accompanying drawings, 
throughout which like parts are referred to by like refer- 
ences, and in which: 

Fig. 1 illustrates a system level block diagram of a 
computer system; 

Fig. 2 illustrates a block diagram ot a flash PROM 
of the computer system m accordance with the 
present invention; 

Fig. 3 illustrates a flow diagram for generating a sig- 
nature in accordance with the present invention; 
and 

Fig. 4 illustrates a flow diagram for authenticating 
unsecured micro-code of the programmable sec- 
tbn of the flash PROM. 

Embodiments of the invention will now be described 
with respect to the figures in which Fig. 1 generally 
shows a simplified computer system 10. The computer 
system 10 includes a CPtJ (central processing unit) 12. 
display 14, hard disk 16 and a flash PROM (program- 
mable read-only memory) 18. The computer system 10 
is for illustrative purposes as many variations to the ar- 
chitecture of the computer system 10 are available and 
known in the art. CPU bus 22 couples the CPU 12 to 
data bus 13. The CPU 12 includes a memory 15 which 
stores instructions and data for processing by the CPU 
12. Disk drive bus 26 couples the disk drive 16 to the 
data bus 1 3. The disk drive 1 6 provides non-volatile data 
storage for the computer system 10. Data transfers oc- 
cur between the CPU 12 and the disk drive 12 as the 
data Is processed by CPU 12. Display bus 24 couples 
the display 14 to the data bus 13. The display 14 re- 
ceives output data for display. The display 14 includes 
a keyboard 17 coupled to the display via cable 19. The 
keyboard 1 7 provkies an user interface to computer sys- 
tem 10. PROM bus 28 couples the flash PROM 18 to 
data bus 13. The flash PROM 18 includes Initialization 
instrucltons for the computer system 10. 

During start-up of th computer system 10, micro- 
code instructions stored in th flash PROM 18 are exe- 
cuted. The mk:ro-code instructions include boot code 



that directs execution of particular boot blocks of the 
hard disk 1 6. Once the instructions contained in the boot 
bkxks of the hard disk 1 6 are executed and loaded into 
the memory 15. higher level instructions and code are 

5 executed and loaded into memory 1 5 such as operating 
systems for Windows 95. Unix, or Macintosh based 
computers. The higher level instructions and code may 
be executed from a network sewer. Thus, in an alterna- 
tive embodiment, computer system 10 is one of a 

10 number of computer systems coupled to a network- 
In a network, the computer system 10 may not in- 
clude the disk drive 16, as data transfers are through a 
network sender. The network sewer includes wired net- 
work connectk)ns, RF (radk) frequency) network con- 

^5 nectbns, and IR (infrared) network connections. Other 
computer systems include hand held systems such as 
PDAs (Personal Data Assistants) and computer sys- 
tems that include mtero-code to initialize the computer 
system. 

^0 Fig. 2 illustrates a block diagram of the flash PROM 
18. The flash PROM 18 is divided into two main sec- 
tions: a authenlicatk>n section 45 and a programmable 
section 55. The authentication sectk>n 45 is a ROM 
(read-only memory). The micro-code instructk^ns con- 
^5 tained in the authentication section 45 are read-only. 
The micro-code instructkxis contained in the program- 
mable section 55 are re- writable. For example, the pro-' 
grammable sectkjn 55 includes a flash memory that is' 
software programmable with new micro-code. 
30 The authenticatkjn section 45 authentrcates the 
programmable sectkm 55 to verify that the micro-code 
instructions which boot the computer system 10 are 
trusted because the programmable sectkjn 55 is soft- 
ware programmable. The authentication section 45 in- 
3S eludes a plurality of secure micro-code 5 1 , a comparator 
52, a hash generator 53, a decryptor 54 and a public^ 
key 56. The unsecured section 55 includes a digital sig- 
nature 57 and a plurality of unsecured micro-code 58. 

During initialization of the computer system 10, the 
secure micro-code 51 of the authentication sectkjn 45 
executes and directs the hash generator 53 to generate 
a data hash of the unsecured micro-code 58 pro- 
grammed in the programmable section 55 of the flash 
PROM 18. The secure micro-code 51 also directs the 
4S decryptor 54 to calculate a verification hash. The de- 
cryptor applies the public key 56 of the authentkation 
section 45 and the digital signature 57 of the program- 
mable section 55 and calcutates the verification hash. 
Once the verificatkjn hash and the data hash are 
50 generated, the mk:ro-code 5 1 directs the comparator 52 
to compare the verification hash with the data hash. If 
the verificatk)n hash matches the data hash, the unse- 
cured micro-code 55 Is properly verified and permitted 
to execute. If the comparison of the verification hash and 
55 the data hash fails, the unsecured micro-code 58 is cor- 
rupted or had been altered without proper authorization. 

Publk;-key cryptography verifies that the digital sig- 
nature 57 and the public key 55 decrypts toa verificatkm 
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hash which matches the data hash of the micro-code 
programmed in the programmable sectkxi 55 of the 
flash PROM 18. The data hash generator 53 generates 
the data hash. A digital signature 57 of the programma- 
ble section 55 is provided when the programmable sec> 
tion 55 is programmed. During authorized progtamming 
of the programmable section 55. an initial hash from the 
authorized programming micro^xxJe is generated. 
Next, a proper digital signature 57 is encrypted from a 
secret key and the hiitial hash of the authorized pro- 
gramming micro-code 58 using publk: key cryptography 
techniques. The proQer digital signature 57 and the au- 
thorized programming micro-code 56 are written to the 
programmable section 55. 

The authentication section 45 of the flash PROM 1 8 
is initially programmed with the secure micro-code 51. 
the comparator 52, the hash generator 53. the decryptor 

54, and the public key 56. Whenever the computer sys- 
tem 10 is initialized, the authentfcation section 45 veri- 
fies that the data hash of the unsecured micro-code 58 
matches the verification hash to ensure the integrity of 
the unsecured micro-code 58 and authenticate that the 
unsecured micro-code 58 had not been altered. As the 
unsecured micro-code 58 of the programmable section 
55 is authenticated, the trust level of the unsecured mi- 
cro-code 58 is raised to a level of trusted. Thus, the au- 
thentuated micro<xxie 58 can be used to authenticate 
other initialization code down stream in the start-up se- 
quence of the computer system 10. 

Fig. 3 shows a flow diagram for generating a digital 
signature 57 for the micro-code 68. The diagram begins 
with generation of the verificaticxi hash from the micro- 
code 56 in step 62. Next, the private key is obtained for 
the generation of a verification hash from the microcode 
58 in step 64. In step 66, the verificatksn hash is encrypt- 
ed using publk; key cryptography techniques and the pri- 
vate key to obtain the digital signature 57. Finally, in step 
68. the digital signature 57 is programmed with the mi- 
cro-code 58 Id the programmable sectkyi 55 of the flash 
PROM 18. 

Fig. 4 shows a flow diagram for authentk:ating the 
unsecured micro-code 58 of the programmable section 

55. The diagram l>egins with generation of the data hash 
from the unsecured mrcro-code 58 contained in the pro- 
grammable section 55 in step 72. in step 73, the verifi- 
cation hash is decrypted with the public key 56 con- 
tained in the authenticatk)n section 45 and the digital 
signature 57 contained in the programmable sectk>n 55. 
Step 74 provides a comparison of the verif icatkxi hash 
with the data hash, (n decision step 75. if the verification 
hash matches the data hash then step 77 authorizes the 
execution of the mk:ro-code 58 contained in the pro- 
grammable sectbn 55. If in decision step 75. the verifi- 
cation hash does not match the data hash; step 78 pro- 
vkies a message to the user that an error occurred dur- 
ing authentication of the programmable section 55 and 
offers a r covery solutbn for the user to obtain valkf mi- 
croKXXle. 



A flash PROM 18 having an authentication section 
45 and a programmable section 55 affords ease in up- 
dating the flash PROM 18 with new micro-code without 
compromising security. Implementing public-key cryp- 

s tography having a private key and a publk: key to verify 
the programmable sectbn 55 with the authentk:at»n 
section 45 assures that the programmable section of the 
micro-code is proper and authentfc. The integrity of the 
unsecured micro-code 58 of the programmable section 

10 55 is also verified when the verificatkxi hash matches 
the data hash. As the trust level of the unsecured nriicro- 
code 58 is raised to a level erf trusted, other tx)ot data 
such as the boot bkxks of the disk drive 16 used for 
initializing the computer system 10 can be similarly au- 

15 thenticated using the now trusted micro-code 58 of the 
programmable section 55. Thus, a propagatk5n of a se- 
ries of security checks during the boot-up sequence can 
be implemented to ensure that each sequence executes 
properly authentrcated boot code 

20 While the foregoing detailed descriptbn has de- 
scritsed several emtsodiments of the apparatus and 
methods of finnware authentication h accordance with 
this Invention, it is to be understood that the above de- 
scriptk)n is illustrative only and not limiting of the dis- 

25 ctosed invention. ODviously, many modifications and 
variatfons will be apparent to the practitraners skilled in 
this art. Accordingly, the apparatus and methods of 
firmware authentication has been provided which au- 
thenticates the programmable sectksn of a flash PROM 

30 vvith a read-only sectfcn of the ftash PTOM by applica- 
tion of public-key cryptography. By affording a program- 
mable section of the ftash PROM to be software pro- 
grammable, updates to the firmware are accomplished 
without compromising the integrity of the firmware. No 

35 kxiger are system operators required to disassemble 
computer systems to perform updates to system start- 
up firmware. 

Particular and preferred aspects of the invention are 
set out in the accompanying independent and depend- 
^0 ent claims. Features of the dependent claims may be 
combined with those of the independent claims as ap- 
propriate and in combinations other than those explicitly 
set out in the claims. 
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Claims 



A boot PROM (programmable read only memory) 
having programming instructions for initiating a 
computer system comprising: 

a software programmable data section having 
a plurality of mk;ro-€Ode; and 
an authenticatkin section having a hash gener- 
ator configured to generate a data hash in re- 
sponse to the plurality of microcode pro- 
grammed in the softwar programmable data 
section to authoriz executkm of the plurality of 
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mIcro-ccxJo of the data section, 

2. The boot PROM according to claim 1 , wherein: 

the software programmable data section in- 
cludes a predetermined signature; and 
the authentication section includes a predeter- 
mined public key and a docryptor configured to 
provide an verification hash in response to the 
predetemiined signature and the public key. 



3. 



7, 



a 



The boot PROM according to claim 2, wherein the 
authentication section includes a comparator con- 
figured to compare the data hash with the verifica- 
tion hash to authenticate the plurality of micro-code 
of the software programmable data section. 

The boot PROM according to claim 2, wherein the 
predetermined signature includes an encryption of 
a private key and an initial hash of a plurality of initial 
micro-code programmed to the software program- 
mabfedatasectbn. 

The boot PROM according to claim 1 , wherein the 
authenf icatk>n section includes a plurality of trusted 
micro-code configured to initiate execution of the 
plurality of micro-code of the software programma- 
ble data section in response to proper authentica- 
tbn of the data hash. 

The boot PROM according to claim 5, YMerem the 
proper authentication of the data hash by the au- 
thentication section of the plurality of trusted micro- 
code affords the plurality of micro-code pro- 
grammed in the software programmable data sec- 
tion to a level of trusted code. 

The boot PROM according to claim 1 , wherein the 
software programmable data section includes a 
flash memory configured to enable software repro- 
gramming of the plurality of micro-code. 

The boot PROM according to claim 1, wherein the 
authentk:atk>n sectton includes a ROM (read only 
memory). 
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9, A method of operating a boot PROM (programma- 
ble read only memory) having programming instruc- 
tkKis for initiating a computer system comprising the 
steps: so 

generating a data hash in response to a plural- 
ity of micro-code programmed in a software 
programmable data section; and 
authenticating th data hash in an authentica- ss 
tlon section to authorize execution of the plu- 
rality of micro-code of the software programma- 
ble data section. 



10. The method of operating a boot PROM according 
to claim 9, wherein the software programmable data 
section includes a predetermined signature and the 
step of authenticating includes decrypting a verifi- 
cation hash in response to the predetermined sig- 
nature and a public key 

11. The method of operating a boot PROM according 
to claim 10. wherein the step of authenticating in- 
cludes comparing the data hash with the verification 
hash to authenticate the plurality of micro-code of 
the software programmable data section. 

12. The method of operating a boot PROM according 
to claim 10 further comprising the step encrypting a 
private key and an initial hash of a plurality of initial 
micro-code programmed to the software program- 
mable data sectton to provkle the predetermined 
signature. 

13. The method of operating a boot PROM according 
to claim 9. wherein the authentication sectfon in- 
cludes a plurality of tmsted micro-code furthercom- 
prises the step of propagating a level of trusted code 
to the plurality of micro-code of the software pro- 
grammable data section in response to proper au- 
thentication of the data hash. 

14. The method of operating a boot PROM according 
to daim 9 wherein the software programmable data 
section includes a flash memory further comprises 
the step of reprogramming the plurality of micro- 
code in the software programmable data section. 

15. The method of operating a boot PROM according 
to claim 9 whereiin the aiithenticatkxi section in- 
cludes a ROM (read only memory). 

16. A computer initialization system having a plurality 
of mk;ro-code to initiate the computer system com- 
prising: 

a hard disk having a plurality of storage bkxks 
configured to store programming data and ini- 
tializing boot data; 

a CPU (central processing unit) coupled to the 
hard disk configured to process programing da- 
ta from the hard disk; 

a display device coupled to the CPU and the 
hard disk configured to receive display data 
from the CPU and the hard disk; and 
a boot PROM (programmable read only mem- 
ory) coupled to the hard disk having a software 
programmable data section including the plu- 
rality of micro-code and an authentication sec- 
tion Including a hash generator configured to 
generate a data hash in response to the plural- 
ity of mfcro-code programmed in the software 
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programmable to authorize execution of the 
plurality of micro-code of the data section for 
directing the initializing boot data of the hard 
disk to execute. 

5 

17. The computer initiaiization system according to 
claim 16, wherein: 

the software programmable data section of the 
boot PROM includes a predetermined signa- io 
ture; and 

the authentication section of the boot PROM in- 
cludes a predetermined public key and a de- 
cryptor configured to provide an verification 
hash in response to the predetermined signa- 
ture and the public key. 

18. The computer initialization system according to 
clafrn 17, wherein the authentication section in- 
cludes a comparator configured to compare the da- 20 
ta hash with the verification hash to authenticate the 
plurality of mk:ro-code of the software programma* 

ble data section. 

19. The computer initialization system according to 2S 
claim 16, wherein the predetermined signature in- 
cludes a encfyption of a private key and an (nitial 
hash of a plurality hitial micro-code programmed 

to the software programmable data sectkxi. 

30 

20. The computer initialization system according to 
claim 19. wherein the proper authentication of the 
data hash by the authentication sectkxi of the ptu- 
rafity of trusted micro-code affords the plurality of 
micro-code programmed in the software progiam- 3$ 
mabte data section to a level of trusted code. 



40 



4S 



SO . 



ss 



6 



EP 0 816 970 A2 




Public Key 56 




Signature 
57 


Decryptor 54 


Hash Generator 
53 






Comparator 
52 


Unsecured 
Micro-code 
58 


Secured Micro-code 
51 




45 55 



FIG. .2 



8 



EP 0 816 970 A2 



Calculate 
Verification Hash 
from Micro-code 



Obtain Private Key 



Encrypt with 
Private Key and 
Verification Hash 
to Obtain 
Signature 




FIG. 3 

9 



EP 0 816 970 A2 



Generate 
Data Hash 
from Programmed 
Unsecured Micro-code 



72 



Decrypt 
Verification Hash 
with 
Public Key 
and Signature 



73 



Compare 
Verification Hash 
with Data Hash 



75 



If Verification 
Hash Matches 
Data Hash 



YES 



Alert User, 
provide recovery 
options 



Execute 
Micro-code of 
Programmable 
section 



FIG. 4 



10 



